IT Security News Blast 8-22-2017

The cybersecurity risks to financial services that are making the biggest impact in 2017

Cybersecurity products and platforms can do a great job for you—when your organisation has the expertise and number of people needed to implement and use them correctly, for example, to configure and tune the products and interpret the large volumes of data being produced. The problem for most firms involved in financial services and capital markets is that they just don’t have the number of people or the skills and experience required to use their tools well. […] Some cybersecurity product firms have added consulting arms in recent years, but it is unlikely (read: impossible) that this can be enough to fill the current gap, let alone what is coming.

One sure way to do this is to state the following: an effective cybersecurity strategy will benefit the company’s balance sheet. When companies decide who to do business with, risk is always a pivotal factor, and so the better your security, the more attractive your services are. Since board meetings are often directed towards strategy, presenting cybersecurity in terms of financial risk and reward makes it an integral part of a business plan, rather than just being a periphery issue. Fundamentally, safety of operations can help you grow market share as your firm becomes a low risk option when compared with competitors.

Blockchain tech has an inherent connection to cybersecurity. Blockchain technologies are, after all, the culmination of decades of research and breakthroughs in cryptography and security. It offers a totally different approach to storing information, making transactions, performing functions, and establishing trust, which makes it especially suitable for environments with high security requirements and mutually unknown actors.

While healthcare cloud can be a boon to security, organizations often hesitate to transition to cloud storage because they are worried that data could become exposed in the cloud. Healthcare entities must ensure that basic data security options are still implemented with cloud computing. This can include data encryption and business associate agreements (BAAs) with cloud service providers (CSPs). That way, providers know when a BAA is liable and when the BAA is not at fault for a potential data security incident. Research indicates that sometimes healthcare organizations might not be fully utilizing cloud security options.

Ukraine’s central bank has warned state-owned and private banks across the country that a new malware campaign targeting financial services firms across the country may be a prelude to another assault of Not-Petya proportions. “The nature of this malicious code, its mass distribution, and the fact that at the time of its distribution it was not detected by any anti-virus software, suggest that this attack is preparation for a mass cyberattack on the corporate networks of Ukrainian businesses,” the central bank warned financial institutions earlier this month, in a letter seen by Reuters.

“We’ve been worried for some time that one of the ways that North Korea can retaliate against further escalation of tensions is via cyber, and particularly attacks against our financial sector,” said Dmitri Alperovitch, co-founder of Crowdstrike, a cyber security firm. “This is something they have really perfected as an art against South Korea.” U.S. law enforcement and homeland security officials said in a June 13 analysis that they believe North Korea is targeting the media, aerospace, financial and critical infrastructure sectors in the United States. […] Intelligence officials say that while the U.S. has cyber offensive capabilities to retaliate, it remains vulnerable to attacks.

David Fidler, on the other hand, in a blog post titled ‘US Cyber Diplomacy Requires More than an Office,’ argues that downgrading of cyber in foreign policy of the Trump administration was clear from the “White House’s refusal to confront Russia’s cyber interference in the 2016 election, and instead, express a desire to establish a joint cybersecurity unit with Russia, is also consistent with the administration’s marginalisation of the State Department in its ‘America First’ foreign policy.”

Jamil Jaffer, founder of the National Security Institute at George Mason University’s Antonin Scalia Law School and a visiting fellow at the Hoover Institution, said that there is little opposition to a unified Cyber Command. But Jaffer added that there has been an ongoing debate over whether and how CYBERCOM should be split off from the NSA. […] Jaffer said a split could have the unintended consequence of slowing down the efficiency of both operations. “I do think it’s important to have the offensive and defensive cyber capabilities that Cyber Command has, while also ensuring we preserve NSA’s signals intelligence capabilities,” Jaffer added.

The EW review, which Milley officially launched in April, is separate from a high-profile review of Army networks we’ve previously reported on. The network review focuses on streamlining and strengthening a wide range of Army systems so they can better withstand cyber/electronic attack. The EW review, however, looks at more active measures to detect, deceive, and disrupt enemy radio and radar. Those are capabilities the Army almost entirely disbanded after 1991, only to relearn from Russia’s 2014 invasion of Ukraine how devastating they could be.

The Defense Advanced Research Projects Agency has released a request for proposals on a program that seeks to develop a blockchain-based messaging service for deployed U.S. troops. If “significant portions of the [Defense Department] back-office infrastructure can be decentralized, smart documents and contracts can be instantly and securely sent and received, thereby reducing exposure to hackers and reducing needless delays in DoD back-office correspondence,” DARPA wrote. The report also noted that DARPA also has begun development work on a blockchain-based code that cannot be breached by potential hackers.

The documents reveal that the Joint Defence Facility Pine Gap, located outside Alice Springs, deployed cutting-edge satellite technology for detailed geolocation intelligence that helps the US military locate targets for special forces and drone strikes. […] According to the leaked documents, these satellites collect “strategic and tactical military, scientific, political, and economic communications signals,” and also keep eyes on any missile or weapon tests in targeted countries, steal intel from foreign military data systems, and provide surveillance support to United States forces.

Classified documents from Macedonia’s intelligence agency that were leaked to The Guardian showed that “Russian spies and diplomats have been involved in a nearly decade-long effort to spread propaganda and provoke discord in Macedonia.” […] British officials say they believe that in 2015, Russia “interfered directly in UK elections “with a series of attempted cyber hacks and “clandestine online activity,” according to The Independent. […] “We had talked to our French counterparts,” he said, “and gave them a heads-up: ‘Look, we’re watching the Russians, we’re seeing them penetrate some of your infrastructure.’”

The FTC does not have rulemaking authority, but it can enforce prohibitions on false and deceptive conduct or failure to meet the reasonable expectations of customers, including on data security. Just last week, it settled with app-based car-hailing service Uber over allegations of deceptive data security claims, a development that FTC chair Maureen Ohlhausen said demonstrated the agency’s ongoing commitment to privacy and security. […] The FTC has been doing data-security work for years, but for 2017, our enforcement program is going to be looking at sensitive data first and foremost, including companies that are dealing with information about children, financial and health information, Social Security numbers and geolocation.

Rebel Media founder Ezra Levant said he was given 24 hours’ notice and no explanation for the action. He did not identify the technology company. “If this was a political censorship decision, it is terrifying – like a phone company telling you it is cancelling your phone number on 24 hours notice because it doesn’t like your conversations,” Levant told Reuters. […] Several other contributors have left the online publication over the past week and some prominent conservative Canada politicians have also sought to distance themselves from the site, according to media reports.

“Everybody’s a target. Everyone is,” he says. “Small-to-medium-sized businesses, some [of them] say, ‘well, cybersecurity isn’t big for us – we’re a small company, nobody would hit us.’ Well, you know what? That approach now has to change. “Here’s the beauty of cybercrime: you don’t need to be good. You don’t need to be sophisticated. My eleven-year-old daughter could go online and run a ransomware campaign and probably make more money than her dad. That’s the reality. There’s a misconception that if it’s nation state [backed], it’s really, really good. That’s not the case.

Landing that infosec job: These experts share their best career advice

“In my career, I have never seen a university, technical school, or certification program that will fully prepare a student to excel in either offensive or defensive security. Certainly there are outstanding programs out there that teach specific skill sets, but technical skills are quickly obsolete and involve depth beyond the material that can be taught in a semester or a year,” she said. “What divides an ‘okay’ information security candidate from a great one is the motivation to learn more about the field outside work, every week,” she said. “What this looks like depends on by niche — perhaps working in a home lab, or reading new computer legislation.” “Regardless, people who have no interest in the field outside of business hours will quickly find themselves at a disadvantage in the market,” she said.

Code chunk in Kronos malware used long before MalwareTech published it

The conclusion, reached in an analysis of Kronos published by security firm Malwarebytes, by no means proves or disproves federal prosecutors’ allegations that Hutchins wrote Kronos code and played a role in the sale of the malware. It does, however, clarify speculation over a Tweet from January 2015, in which MalwareTech—the online handle Hutchins used—complained that a complex piece of code he had published a month earlier had been added to an unnamed malware sample without his permission.

On August 20th, Enigma, a decentralized marketplace and cryptocurrency investment platform was hacked by an unknown hacker. As a result, $500,000 in Ethereum was stolen. The hack attack occurred when the company was gearing up for crypto token sale. The attack was quite sophisticated since the hacker took over Enigma’s website, admin passwords, email newsletter and Slack account. The hacker then managed to develop and upload a fake pre-sale page linked with a phony ETH address and tricked users into sending money.

Smart Devices Can Be Hijacked to Track Your Body Movements And Activities Remotely

Dubbed CovertBand, the attack has been developed by four researchers at the University of Washington’s Paul G. Allen School of Computer Science & Engineering, and is so powerful that it can record what a person is doing through a wall. The CovertBand tracking system makes use of the built-in microphones and speakers—found in smartphones, laptops, tablets, smart assistant and other smart devices—as a receiver to pick up reflected sound waves, tracking the movements of anyone near the audio source. The attacking approach involves remotely hijacking of smart devices to play music embedded with repeating pulses that track one’s position, body movements, and activities both near the device and through walls.

The last flaw is where a hacker creates a malicious DOCX file containing an external object. This object is linked to an HTA file on the attacker’s server. The DOCX file is then uploaded successfully to LinkedIn’s CDN, passing the virus check and sent to the victim. When the victim opens the malicious DOCX file, WINWORD automatically downloads the HTA file through the object link, and then runs it. Once the HTA file is executed, the victim is infected. Check Point identified the four flaws and reported the discovery to LinkedIn on 14 June 2017. LinkedIn verified and acknowledged the security issues and deployed a fix effective 24 June 2017.

Want more cybersecurity information?

We may also occasionally send you information about Critical Informatics products and solutions; you can unsubscribe at anytime if desired.Leave this field empty if you're human:

About Critical Informatics

We are world-class information security professionals providing Managed Detection and Response services to help you be secure, compliant, and resilient against threats to the life safety, life-sustaining, and quality-of-life systems and services you provide to clients, customers, constituents, and communities.